Popular VPN and Ad-Blocking Apps Are Secretly Harvesting User Data (buzzfeednews.com) 46
An anonymous reader quotes a report from BuzzFeed News: Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don't disclose their connection to the company or reveal that they feed user data to Sensor Tower's products, have more than 35 million downloads. Since 2015, Sensor Tower has owned at least 20 Android and iOS apps. Four of these -- Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus -- were recently available in the Google Play store. Adblock Focus and Luna VPN were in Apple's App Store. Apple removed Adblock Focus and Google removed Mobile Data after being contacted by BuzzFeed News. The companies said they continue to investigate.
Once installed, Sensor Tower's apps prompt users to install a root certificate, a small file that lets its issuer access all traffic and data passing through a phone. The company told BuzzFeed News it only collects anonymized usage and analytics data, which is integrated into its products. Sensor Tower's app intelligence platform is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps. Randy Nelson, Sensor Tower's head of mobile insights, said the company's apps do not collect sensitive data or personally identifiable information and that "the vast majority of these apps listed are now defunct (inactive) and a few are in the process of sunsetting." But, as BuzzFeed points out, most of the apps are no longer available "because they were removed due to policy violations."
Once installed, Sensor Tower's apps prompt users to install a root certificate, a small file that lets its issuer access all traffic and data passing through a phone. The company told BuzzFeed News it only collects anonymized usage and analytics data, which is integrated into its products. Sensor Tower's app intelligence platform is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps. Randy Nelson, Sensor Tower's head of mobile insights, said the company's apps do not collect sensitive data or personally identifiable information and that "the vast majority of these apps listed are now defunct (inactive) and a few are in the process of sunsetting." But, as BuzzFeed points out, most of the apps are no longer available "because they were removed due to policy violations."
I mean... (Score:5, Insightful)
At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...
Re:I mean... (Score:4, Interesting)
Re: (Score:3)
Yes, you are so right! I was always suspicious how those dastardly Debian developers can produce a distro for more than 20 years now and not wanting a single penny from me!
Of course they would want money from you, that's why there's a donations [debian.org] page.
Re: (Score:1)
Re: (Score:3)
With the usual bait-and-switch formula. You get the product for free, but then they sell you the consulting.
No, wait, that was Red Hat.
Re: (Score:2)
Re: (Score:2)
Okay, where's the paid option that don't still sell all your data on the data black market?
Re: (Score:2)
At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...
Didn't Jeff Bezos say this?
Re: (Score:2)
I'm not even sure! I must've heard it from somewhere though. =)
Re: (Score:2)
Exactly if it isn't a product or service that you can run as a hobby like the old dial up BBS's, or a website that will cost you under $100 a month to operate. Chances are they will need some sort of payment to keep it operational. This can be from any combination Advertising, Collecting your user data, Grants, Government Funding, Corporate funding (often as a way to sell the higher end version of the product)....
Even if you don't have to pay them money it isn't free, and you will probably will have to sacr
Re: (Score:1)
Re: (Score:3)
Not to mention, it's LOGICALLY the place shady government agencies are going to START with.
If I was the NSA, I'd be behind (or at least have my fingers deep into) every single VPN service that exists - *particularly* the ones set up in other countries.
Unless you build and run your OWN VPN system entirely by yourself, there's no way to be paranoid enough.
Re: (Score:3)
Which is exactly why I think Apple should offer their own VPN service, directly integrated into macOS and iOS.
Re: (Score:2)
At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...
Free healthcare for all!
Re: (Score:3)
That's not free, you're paying for it.
In case you're wondering what that "tax" thing is that everyone's bitching about.
Re: (Score:2)
Re: (Score:3)
Yes, somebody else made a comment similar to this, I think they were talking about Debian. I did make a bold statement, and you're right, my statement isn't always the case. (part of why I used the language 'likely' and not 'always') But I did make the statement in a very focused way, I was talking about an app, not a community driven ecosystem.
Linux, and the FSF as a whole are kind of odd beasts because they imply an awful lot. For one, they are open source, and the community gets to participate. My co
Re:I mean... (Score:5, Informative)
At risk of sounding like a broken record.... I've often said if a product is free, you're likely the product...
True, but these days even if you pay for it, you're still the product.
Pay for Windows, get tracked. Buy a Mac, get tracked. Buy any phone, get tracked.
The line between free and paid has been erased in pursuit of that sweet, sweet user data.
Re: I mean... (Score:4, Insightful)
Could it be... that all this tracking has jack to do with "ads" and everything to do with totalitarianism?
Why not both?
Re: (Score:2)
Re: (Score:2)
If I had points, I'd mod this up! lol
Re: (Score:1)
Re: (Score:2, Insightful)
I'm sure they do even in Europe. They just don't get caught.
Not surprising (Score:3)
The primary purpose of most public VPNs' existence is to take money from paranoiacs. Should I now be surprised they're taking personal data, too?
Re:Not surprising (Score:5, Informative)
It needs to be beat into everybody's head that VPNs are not for anonymity. It is not their purpose and never has been. If a company is telling you to "protect your privacy online" by using their service, they are lying to you.
VPNs encrypt data over the Internet. It's in the name, a virtual private network. If you control both ends of the VPN, it's your private network. If you're using somebody else's software and endpoint, it's their private network.
Re: Not surprising (Score:1)
Re: (Score:2)
I wont contest your point on being dyslexic, I also had a hard time reading that. But if we move beyond that, his point is valid. Generally speaking using tunnels does projecrjkt (sorry couldn't resist) your privacy, from targeted actors, but it leaves the rest to trust.
I can maybe protect myself from party A from seeing what I am doing, but that doesn't protect me from party B...
It also does not protect against left payloads, you know cached java-script meant to do something later, which might not be not
Re: (Score:2)
It depends on the VPN, or more specifically how you paid for it.
For example Mulvad VPN doesn't need anything to sign up, not even an email address. It generates a random user account number for you. You can pay them anonymously, just send cash in an envelope with the account number written inside. That's what I do.
It's not perfect, they could look at the IP address that account connects from, but perfect is the enemy of good here. Any random copyright troll will get nowhere, and even the police will be larg
Re: (Score:3)
In a word: "Subpoena".
Police can compel the VPN-provider to allow them to a monitor your traffic in real time, learning where else you're visiting using the same account, tying you to your Google, Quora (which insists on real names!), Facebook, and bank-accounts. Putting those records together, with the precise access timestamps, will identify you very quickly...
Old-fashioned way they can also take your fingerprint
Re: (Score:3)
This.
So long as you trust Mulvad to not change ownership, screw up or get subverted, you're probably as safe as one can get from the RIAA, Comcast, Disney, etc. I suppose, so gold star to you for that. But if you come under extreme scrutiny, your VPN habits won't be used to prosecute you, they'll be used to acquire a warrant, which is where the real evidence used against you will come from.
All of those "100% anonymous, no-log" VPNs may as well be a neon sign to intelligence agencies that says "Look Here Fir
Re: (Score:3)
The most they could do is monitor the VPN endpoint and see a load of encrypted traffic going to Google. Any attempt at MITM will be detected instantly.
Timestamps are useless unless they are also monitoring your home internet connection already and you don't have enough traffic on it to obfuscate what goes where.
This is some CSI Cyber grade stuff for the cops. Maybe MI5 or the FBI might be able to manage it but for â5/month I'll take that.
Re: (Score:3)
They don't need to know the content of the communication, just the fact of it. They would then ask Google, hey, who connected to your servers (identified by Google's IP-address(es)) at these times. Repeat for other services (Slashdot included) and look for overlap.
The "useless" timestamps are quite useful, they will allow to filter you from millions of hits Google is getting per day down to a few seconds w
Re: (Score:3)
Hmm, it still seems far fetched. Shared IP, lots of people use Google services, sites like Slashdot are served from a CDN so that IP address leads to hundreds or thousands of possibilities.
I'm not saying it's impossible but it's so much effort that only someone with considerable resources, acting at state level and with a compelling reason to do so will bother. And once the UK is out of the EU it will be even harder for them.
Tor is useful but slow, I can saturate my connection with Mulvad. What am I hiding?
Re: (Score:3)
Some VPNs were probably fighting for the good cause, but like in any market there will be people who will take advantage of it for less noble causes.
With https becoming more common, the need for a VPN diminishes if anonymity over a wireless network is a concern. If the reason is for working around geo detection, then there is probably still a need.
Re: (Score:3)
It may protect your privacy online. Basically, you're trading your ISP as the entity knowing every connection you make for someone else.
Depending on the ISP, this may actually improve your privacy level...
Re: (Score:3)
VPNs don't provide complete anonymity. They are useful to keep the local ISP from tracking traffic, injecting ads, trying DNS poisoning attacks, and other shenanigans. The traffic still has to pop out somewhere, and the VPN provider can easily collude with an ISP. However, it does provide some solid security, especially for Wi-Fi spots which demand E-mail addresses and other stuff before they give access.
Nice try scummy software shop (Score:2)
So this news should shut them down completely I sure hope.
root certificate (Score:1)